Home | History | Annotate | Download | only in src 
      1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
      2 // Use of this source code is governed by a BSD-style license that can be
      3 // found in the LICENSE file.
      4 
      5 #ifndef SANDBOX_WIN_SRC_SANDBOX_POLICY_H_
      6 #define SANDBOX_WIN_SRC_SANDBOX_POLICY_H_
      7 
      8 #include <stddef.h>
      9 #include <stdint.h>
     10 
     11 #include "base/strings/string16.h"
     12 #include "sandbox/win/src/sandbox_types.h"
     13 #include "sandbox/win/src/security_level.h"
     14 
     15 namespace sandbox {
     16 
     17 class TargetPolicy {
     18  public:
     19   // Windows subsystems that can have specific rules.
     20   // Note: The process subsystem(SUBSY_PROCESS) does not evaluate the request
     21   // exactly like the CreateProcess API does. See the comment at the top of
     22   // process_thread_dispatcher.cc for more details.
     23   enum SubSystem {
     24     SUBSYS_FILES,             // Creation and opening of files and pipes.
     25     SUBSYS_NAMED_PIPES,       // Creation of named pipes.
     26     SUBSYS_PROCESS,           // Creation of child processes.
     27     SUBSYS_REGISTRY,          // Creation and opening of registry keys.
     28     SUBSYS_SYNC,              // Creation of named sync objects.
     29     SUBSYS_WIN32K_LOCKDOWN    // Win32K Lockdown related policy.
     30   };
     31 
     32   // Allowable semantics when a rule is matched.
     33   enum Semantics {
     34     FILES_ALLOW_ANY,       // Allows open or create for any kind of access that
     35                            // the file system supports.
     36     FILES_ALLOW_READONLY,  // Allows open or create with read access only.
     37     FILES_ALLOW_QUERY,     // Allows access to query the attributes of a file.
     38     FILES_ALLOW_DIR_ANY,   // Allows open or create with directory semantics
     39                            // only.
     40     NAMEDPIPES_ALLOW_ANY,  // Allows creation of a named pipe.
     41     PROCESS_MIN_EXEC,      // Allows to create a process with minimal rights
     42                            // over the resulting process and thread handles.
     43                            // No other parameters besides the command line are
     44                            // passed to the child process.
     45     PROCESS_ALL_EXEC,      // Allows the creation of a process and return full
     46                            // access on the returned handles.
     47                            // This flag can be used only when the main token of
     48                            // the sandboxed application is at least INTERACTIVE.
     49     EVENTS_ALLOW_ANY,      // Allows the creation of an event with full access.
     50     EVENTS_ALLOW_READONLY,  // Allows opening an even with synchronize access.
     51     REG_ALLOW_READONLY,     // Allows readonly access to a registry key.
     52     REG_ALLOW_ANY,          // Allows read and write access to a registry key.
     53     FAKE_USER_GDI_INIT,     // Fakes user32 and gdi32 initialization. This can
     54                             // be used to allow the DLLs to load and initialize
     55                             // even if the process cannot access that subsystem.
     56     IMPLEMENT_OPM_APIS      // Implements FAKE_USER_GDI_INIT and also exposes
     57                             // IPC calls to handle Output Protection Manager
     58                             // APIs.
     59   };
     60 
     61   // Increments the reference count of this object. The reference count must
     62   // be incremented if this interface is given to another component.
     63   virtual void AddRef() = 0;
     64 
     65   // Decrements the reference count of this object. When the reference count
     66   // is zero the object is automatically destroyed.
     67   // Indicates that the caller is done with this interface. After calling
     68   // release no other method should be called.
     69   virtual void Release() = 0;
     70 
     71   // Sets the security level for the target process' two tokens.
     72   // This setting is permanent and cannot be changed once the target process is
     73   // spawned.
     74   // initial: the security level for the initial token. This is the token that
     75   //   is used by the process from the creation of the process until the moment
     76   //   the process calls TargetServices::LowerToken() or the process calls
     77   //   win32's RevertToSelf(). Once this happens the initial token is no longer
     78   //   available and the lockdown token is in effect. Using an initial token is
     79   //   not compatible with AppContainer, see SetAppContainer.
     80   // lockdown: the security level for the token that comes into force after the
     81   //   process calls TargetServices::LowerToken() or the process calls
     82   //   RevertToSelf(). See the explanation of each level in the TokenLevel
     83   //   definition.
     84   // Return value: SBOX_ALL_OK if the setting succeeds and false otherwise.
     85   //   Returns false if the lockdown value is more permissive than the initial
     86   //   value.
     87   //
     88   // Important: most of the sandbox-provided security relies on this single
     89   // setting. The caller should strive to set the lockdown level as restricted
     90   // as possible.
     91   virtual ResultCode SetTokenLevel(TokenLevel initial, TokenLevel lockdown) = 0;
     92 
     93   // Returns the initial token level.
     94   virtual TokenLevel GetInitialTokenLevel() const = 0;
     95 
     96   // Returns the lockdown token level.
     97   virtual TokenLevel GetLockdownTokenLevel() const = 0;
     98 
     99   // Sets the security level of the Job Object to which the target process will
    100   // belong. This setting is permanent and cannot be changed once the target
    101   // process is spawned. The job controls the global security settings which
    102   // can not be specified in the token security profile.
    103   // job_level: the security level for the job. See the explanation of each
    104   //   level in the JobLevel definition.
    105   // ui_exceptions: specify what specific rights that are disabled in the
    106   //   chosen job_level that need to be granted. Use this parameter to avoid
    107   //   selecting the next permissive job level unless you need all the rights
    108   //   that are granted in such level.
    109   //   The exceptions can be specified as a combination of the following
    110   //   constants:
    111   // JOB_OBJECT_UILIMIT_HANDLES : grant access to all user-mode handles. These
    112   //   include windows, icons, menus and various GDI objects. In addition the
    113   //   target process can set hooks, and broadcast messages to other processes
    114   //   that belong to the same desktop.
    115   // JOB_OBJECT_UILIMIT_READCLIPBOARD : grant read-only access to the clipboard.
    116   // JOB_OBJECT_UILIMIT_WRITECLIPBOARD : grant write access to the clipboard.
    117   // JOB_OBJECT_UILIMIT_SYSTEMPARAMETERS : allow changes to the system-wide
    118   //   parameters as defined by the Win32 call SystemParametersInfo().
    119   // JOB_OBJECT_UILIMIT_DISPLAYSETTINGS : allow programmatic changes to the
    120   //  display settings.
    121   // JOB_OBJECT_UILIMIT_GLOBALATOMS : allow access to the global atoms table.
    122   // JOB_OBJECT_UILIMIT_DESKTOP : allow the creation of new desktops.
    123   // JOB_OBJECT_UILIMIT_EXITWINDOWS : allow the call to ExitWindows().
    124   //
    125   // Return value: SBOX_ALL_OK if the setting succeeds and false otherwise.
    126   //
    127   // Note: JOB_OBJECT_XXXX constants are defined in winnt.h and documented at
    128   // length in:
    129   //   http://msdn2.microsoft.com/en-us/library/ms684152.aspx
    130   //
    131   // Note: the recommended level is JOB_RESTRICTED or JOB_LOCKDOWN.
    132   virtual ResultCode SetJobLevel(JobLevel job_level,
    133                                  uint32_t ui_exceptions) = 0;
    134 
    135   // Returns the job level.
    136   virtual JobLevel GetJobLevel() const = 0;
    137 
    138   // Sets a hard limit on the size of the commit set for the sandboxed process.
    139   // If the limit is reached, the process will be terminated with
    140   // SBOX_FATAL_MEMORY_EXCEEDED (7012).
    141   virtual ResultCode SetJobMemoryLimit(size_t memory_limit) = 0;
    142 
    143   // Specifies the desktop on which the application is going to run. If the
    144   // desktop does not exist, it will be created. If alternate_winstation is
    145   // set to true, the desktop will be created on an alternate window station.
    146   virtual ResultCode SetAlternateDesktop(bool alternate_winstation) = 0;
    147 
    148   // Returns the name of the alternate desktop used. If an alternate window
    149   // station is specified, the name is prepended by the window station name,
    150   // followed by a backslash.
    151   virtual base::string16 GetAlternateDesktop() const = 0;
    152 
    153   // Precreates the desktop and window station, if any.
    154   virtual ResultCode CreateAlternateDesktop(bool alternate_winstation) = 0;
    155 
    156   // Destroys the desktop and windows station.
    157   virtual void DestroyAlternateDesktop() = 0;
    158 
    159   // Sets the integrity level of the process in the sandbox. Both the initial
    160   // token and the main token will be affected by this. If the integrity level
    161   // is set to a level higher than the current level, the sandbox will fail
    162   // to start.
    163   virtual ResultCode SetIntegrityLevel(IntegrityLevel level) = 0;
    164 
    165   // Returns the initial integrity level used.
    166   virtual IntegrityLevel GetIntegrityLevel() const = 0;
    167 
    168   // Sets the integrity level of the process in the sandbox. The integrity level
    169   // will not take effect before you call LowerToken. User Interface Privilege
    170   // Isolation is not affected by this setting and will remain off for the
    171   // process in the sandbox. If the integrity level is set to a level higher
    172   // than the current level, the sandbox will fail to start.
    173   virtual ResultCode SetDelayedIntegrityLevel(IntegrityLevel level) = 0;
    174 
    175   // Sets a capability to be enabled for the sandboxed process' AppContainer.
    176   virtual ResultCode SetCapability(const wchar_t* sid) = 0;
    177 
    178   // Sets the LowBox token for sandboxed process. This is mutually exclusive
    179   // with SetAppContainer method.
    180   virtual ResultCode SetLowBox(const wchar_t* sid) = 0;
    181 
    182   // Sets the mitigations enabled when the process is created. Most of these
    183   // are implemented as attributes passed via STARTUPINFOEX. So they take
    184   // effect before any thread in the target executes. The declaration of
    185   // MitigationFlags is followed by a detailed description of each flag.
    186   virtual ResultCode SetProcessMitigations(MitigationFlags flags) = 0;
    187 
    188   // Returns the currently set mitigation flags.
    189   virtual MitigationFlags GetProcessMitigations() = 0;
    190 
    191   // Sets process mitigation flags that don't take effect before the call to
    192   // LowerToken().
    193   virtual ResultCode SetDelayedProcessMitigations(MitigationFlags flags) = 0;
    194 
    195   // Returns the currently set delayed mitigation flags.
    196   virtual MitigationFlags GetDelayedProcessMitigations() const = 0;
    197 
    198   // Disconnect the target from CSRSS when TargetServices::LowerToken() is
    199   // called inside the target.
    200   virtual void SetDisconnectCsrss() = 0;
    201 
    202   // Sets the interceptions to operate in strict mode. By default, interceptions
    203   // are performed in "relaxed" mode, where if something inside NTDLL.DLL is
    204   // already patched we attempt to intercept it anyway. Setting interceptions
    205   // to strict mode means that when we detect that the function is patched we'll
    206   // refuse to perform the interception.
    207   virtual void SetStrictInterceptions() = 0;
    208 
    209   // Set the handles the target process should inherit for stdout and
    210   // stderr.  The handles the caller passes must remain valid for the
    211   // lifetime of the policy object.  This only has an effect on
    212   // Windows Vista and later versions.  These methods accept pipe and
    213   // file handles, but not console handles.
    214   virtual ResultCode SetStdoutHandle(HANDLE handle) = 0;
    215   virtual ResultCode SetStderrHandle(HANDLE handle) = 0;
    216 
    217   // Adds a policy rule effective for processes spawned using this policy.
    218   // subsystem: One of the above enumerated windows subsystems.
    219   // semantics: One of the above enumerated FileSemantics.
    220   // pattern: A specific full path or a full path with wildcard patterns.
    221   //   The valid wildcards are:
    222   //   '*' : Matches zero or more character. Only one in series allowed.
    223   //   '?' : Matches a single character. One or more in series are allowed.
    224   // Examples:
    225   //   "c:\\documents and settings\\vince\\*.dmp"
    226   //   "c:\\documents and settings\\*\\crashdumps\\*.dmp"
    227   //   "c:\\temp\\app_log_?????_chrome.txt"
    228   virtual ResultCode AddRule(SubSystem subsystem, Semantics semantics,
    229                              const wchar_t* pattern) = 0;
    230 
    231   // Adds a dll that will be unloaded in the target process before it gets
    232   // a chance to initialize itself. Typically, dlls that cause the target
    233   // to crash go here.
    234   virtual ResultCode AddDllToUnload(const wchar_t* dll_name) = 0;
    235 
    236   // Adds a handle that will be closed in the target process after lockdown.
    237   // A NULL value for handle_name indicates all handles of the specified type.
    238   // An empty string for handle_name indicates the handle is unnamed.
    239   virtual ResultCode AddKernelObjectToClose(const wchar_t* handle_type,
    240                                             const wchar_t* handle_name) = 0;
    241 
    242   // Adds a handle that will be shared with the target process. Does not take
    243   // ownership of the handle.
    244   virtual void AddHandleToShare(HANDLE handle) = 0;
    245 
    246   // Locks down the default DACL of the created lockdown and initial tokens
    247   // to restrict what other processes are allowed to access a process' kernel
    248   // resources.
    249   virtual void SetLockdownDefaultDacl() = 0;
    250 
    251   // Enable OPM API redirection when in Win32k lockdown.
    252   virtual void SetEnableOPMRedirection() = 0;
    253   // Enable OPM API emulation when in Win32k lockdown.
    254   virtual bool GetEnableOPMRedirection() = 0;
    255 };
    256 
    257 }  // namespace sandbox
    258 
    259 
    260 #endif  // SANDBOX_WIN_SRC_SANDBOX_POLICY_H_
    261